3e541100c869dba06ee62252a9661e5a06c2e685a7ddd5288ea1358703412385 | Triage

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-05-2024 07:57

Sharing

Report Analysis Logs

General

Target

ReduceMemory.exe
Size

776KB
MD5

0d626331715cc35aa377a8503f85c92a
SHA1

26aad89595f00068151d3676297ceec394e718af
SHA256

3e541100c869dba06ee62252a9661e5a06c2e685a7ddd5288ea1358703412385
SHA512

6dcdc39672dd00873c55753ba02ad05dc61ef028a4de385d5af38f30c4959342ac25f0ae936a19fb29100a49ab379f16f5288578434e1aea83b03e596d999996
SSDEEP

12288:UaWzgMg7v3qnCiHErQohh0F4aCJ8lny7QSpJJ9vZ+dAy2s:LaHMv6C7rjCny7QQx+Is

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2724	ReduceMemory.exe
2724	ReduceMemory.exe
2724	ReduceMemory.exe
2444	ReduceMemory.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2444	ReduceMemory.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	ReduceMemory.exe
Token: SeAssignPrimaryTokenPrivilege	2724	ReduceMemory.exe
Token: SeIncreaseQuotaPrivilege	2724	ReduceMemory.exe
Token: 0	2724	ReduceMemory.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe
2444	ReduceMemory.exe

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
"C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
- C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
  C:\Users\Admin\AppData\Local\Temp\ReduceMemory.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ReduceMemory.ini

Filesize
2KB

MD5
3656d2095539dbbcdd6cae3be135295f

SHA1
435e10d0f284b6087197fa45c1e7f2732c5a5f32

SHA256
7967ee2678fc8c6bb0146308899fa0bcb3734e5bb1ce7391129ab89708692467

SHA512
6faacf8bd5b83825a3afb9cf00a2f08a44abb80d8862094c841a0d4f8f3781f0f80ae532508e189c05715d01fe82a1484b2b2d321ce8885a23142f25e689e445

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjmjrdpo.tmp

Filesize
16KB

MD5
16b8b02374f891bf3918b3dc5d455fb9

SHA1
16292a7d65fcc2bc212444688b8f7d5da1f441e2

SHA256
fb7cb0796834815a50e9cc917180ed57c715797af16b9f1d85f5f723f9991e01

SHA512
fb71849c0a3b069a761d0cab918b3e415f43c0aa0b85e9e9633185192020f43bf0bf2c539a2499ec5ebe7f197f8f9d6d83c8ebdc03739d3ec0adeedde049cde3

Download Submit